Skip to main content
CVE-2026-56355 LOW Monitor

Information disclosure in GNU Savane's file-serving layer (frontend/php/file.php) allows network-accessible, unauthenticated remote attackers to bypass file authorization controls by supplying untrusted user-controlled data that the application incorrectly treats as authoritative in its access decision logic. Affected installations span Savane 3.14 through 3.17, confirmed by EUVD-2026-38135 and acknowledged via an FSF public statement. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog, though the AC:H CVSS rating suggests non-trivial exploitation rather than a trivially automated mass-scan scenario.

Information Disclosure Savane
NVD VulDB
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-56317 LOW PATCH Monitor

Cross-site scripting in Nuxt's globally registered NoScript component allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting payload via attacker-controlled slot content, such as URL query parameters. The vulnerability exists in both supported release lines - 3.x before 3.21.7 and 4.x before 4.4.7 - and is rooted in the server-side rendering pipeline writing slot content to innerHTML without escaping, bypassing Vue's normal template sanitization. No active exploitation has been confirmed in CISA KEV; vendor-released patches are available and the fix is a one-line change confirmed in open commit history.

XSS Nuxt
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.4%
CVE-2026-44911 LOW Monitor

Incorrect authorization enforcement in Apache NiFi 1.15.0 through 2.9.0 allows read-privileged users to submit configuration verification requests containing arbitrary proposed properties, bypassing the write-access requirement. The nifi-web-api REST endpoints for component configuration verification accepted proposed configuration overrides from any authenticated user with read access, enabling those users to invoke predefined verification methods - such as testing connectivity, credentials, or remote service endpoints - with attacker-supplied settings. No public exploit has been identified at time of analysis, and the fix is confirmed available in Apache NiFi 2.10.0.

Apache Authentication Bypass Nifi
NVD VulDB
CVSS 4.0
2.3
EPSS
0.3%
CVE-2026-56325 LOW PATCH Monitor

Preview subdomain resolution in Capgo before 12.128.2 is susceptible to app-id confusion because the resolver uses PostgreSQL's ILIKE operator - which treats underscores as single-character wildcards - instead of exact equality matching for app_id lookups. An authenticated attacker who can register a Capgo application can craft an app_id with strategically placed underscores that collide with a victim application's identifier, hijacking preview subdomain resolution and breaking preview functionality for the targeted app. No public exploit code exists and no active exploitation has been confirmed (KEV absent); the CVSS 4.0 score of 2.3 reflects genuinely low real-world risk constrained by high attack complexity, required authentication, and limited availability-only impact.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy